The present invention relates generally to the data flow control in a transmission network wherein the transported data can be compressed and/or encrypted depending upon the protocol used and recognized at each node of the network and in particular a method for controlling data flow in a network using a new compression and encryption protocol.
Nowadays, the exchange of information becomes more and more important in quantity, especially with the explosion of Internet. Furthermore, it has become necessary that most of data transported over a network are secured and protected.
It is therefore required to reduce the size of data by using compression algorithms, and also to reduce or even to suppress the capability of other users in the network of looking, reading and understanding the data by using encryption algorithms. Encryption may use the benefits of the compression to reduce the capability to unlock the encryption by reducing the predictability.
Data are generally encapsulated with protocols in frames or cells. Such protocols are becoming more and more complex and they introduce overhead. Besides, they need also be protected against external penetration for security. Accordingly, it is also required to use compression and/or encryption algorithms for protocols as for other data:
compression of the protocol may be used to reduce the overhead and facilitate the understanding in order to speed up the routing/switching over the network. Encryption may be used to reduce the visibility of the protocol (type of protocol, addresses . . . ) and the risk of intrusion.
Wide Area Networks (WAN) are the best candidates for compression and encryption although it may be interesting to use also compression and encryption on Local Area Networks (LAN) because WANs are either public networks or use public links which are very expensive and not under the protection of the entity transferring data. The three following cases are examples wherein compression and encryption should be used:
1. Customer networks are more and more sharing the infrastructure through common protocol such as Frame Relay or IP (Internet) which introduce security problems (confidentiality, access).
Data encryption allows the exchange of sensitive data over public access networks including Internet. Protocol header encryption allows to suppress the visibility of transactions/communications and of origin/destination address names.
2. WAN links are the slowest and most costly elements in a network. The complexity and overhead introduced by the protocols increasing over time (Ipv4 to Ipv6, Ethernet frame size, data base remote access . . . ) degrade the usability of the network.
Data and protocol header compression improves throughput over communication lines.
3. Separate compression/encryption devices for data and headers which exist today duplicate efforts, increase latency, and introduce compatibility problems. Furthermore, there is a need on local networks because the protocol or the user are not necessarily aware that the destination is within the LAN or accessed remotely. The location where data and/or protocols are compressed or encrypted are different. Generally, a compression/encryption on data is preferably performed on end devices at application or presentation layers, before a transparent end to end data transmission is performed. On the contrary, the protocol header needs to be compressed/encrypted at each routing node in order to be correctly routed. Generally, the type of compression/encryption required for data and protocol fields are not the same. There is no need for an intermediate node to have a clear view of the data field: it is less secure and spends unnecessary computing resources.
Some compression protocols are taking data fields into account while other ones are working exclusively on protocol headers but there is no common compatible existing protocol able to support multi-field compression/encryption control.
Using upper layers (application/presentation) is the easiest way to implement compression or encryption but it means that this function is only applied to that data itself and not to the various headers with their overhead. It means that it should be done on each system interfacing the network. Generally encryption of data is done by software such as ZIP, TAR . . . for compression or ViaCrypt or other similar code for encryption but involves personal activity and time/resource on each system and does not allow to perform compression at lower level. Encryption should always be done after compression. Inasmuch as Encryption randomizes the data, compression performed after encryption is not efficient. Its a good reason to move today encryption from upper layers to lower layers and after compression anyway.
All these drawbacks are reduced with implementation at lower layers (transport/network) especially if done by hardware to reduce compression/encryption time. At lower layers, it may be possible to compress/encrypt not only data fields but also header fields of the various protocols and to do it on the right order for better efficiency. Unfortunately, there is a limited capability on existing lower layers for the compression/encryption of the protocols which are specific and handle either header or data but never both using a similar encapsulation mechanism.
In addition to the reduced amount of data transmitted on the links, there are some advantages to improve both security and routing/switching time if it is not necessary to decompress each header at each network note. Some of the additional services are:
Protecting data against reading or modification from unauthorized person.
Protecting transaction against message suppression/insertion.
Verifying originator of messages.
Accordingly, the primary object of the invention is to provide a method of implementing a global encapsulation protocol able to support multiple types and fields of compression/encryption.
Another object of the invention is to provide a compression/encryption method applying to all protocols and allowing to increase the performance of the compression rate and the transmission delay.
Another object of the invention is to provide a new protocol able to split the various fields of a data frame by data and headers and a capability for each node to be able to manipulate, that is to compress (or decompress) and/or to encrypt (or decrypt) selected fields of the data frame.
Accordingly, the invention relates to a process for controlling frames transporting data from a transmitting Terminal to at least a receiving Terminal through a plurality of consecutive nodes including a start access node connected to the transmitting Terminal and at least an end access node connected to the receiving Terminal and intermediary nodes, with each data frames comprising one or several protocol layers respectively associated with one or several communication protocols of controlling the frame flow at each node. The process consists in adding to each data frame a Data Manipulation Layer (DML) defining the parameters necessary for managing the manipulation (compression and/or encryption) of each field of the data frame located after the DML, and adding to each data frame a Control message for transporting a control protocol defining new parameters to be used by some ones of the plurality of nodes for managing the communication flow through the consecutive nodes.
According to a characteristic of the invention, each data frame can be divided into a plurality of zones corresponding to the protocol layers located after the DML in the data frame or consecutive parts of these protocol layers and to the data block or consecutive parts of the data block, wherein each zone comprises a first sub-zone containing a manipulated data header (MDH) defining the parameters of the following compressed and/or encrypted data, and a second sub-zone containing data (MD) which have been compressed and/or encrypted according to the parameters defined in the first sub-zone.
According to another characteristic of the invention, the parameters defined in the Control message enable to determine the function assigned to each node, so that the node may have the function of:xe2x80x94Access Node interfacing directly the transmitting or receiving Terminal, such an Access Node generating the DML if it connected to the transmitting Terminal and removing the DML if it is connected to the receiving Terminal,
Protocol Node for the nodes which may only have access to some manipulated headers but have no access to the data, and
Network node for the nodes which have no access to headers or data the Frame supervisor.
The invention relates also to a Data Manipulation Layer (DML) added to a data frame transmitted from a transmitting Terminal to at least a receiving Terminal through a plurality of consecutive of at least a data transmission network (WAN) with the data frame comprising one or several protocol layers respectively associated with one or several communication protocols for controlling the frame flow at each node, and comprising a Frame supervisor defining the protocol to be used with the data included in the data frame, the flow identification (Flow ID) and the frame sequence number, a Control message defining new parameters to be used by some ones of the plurality of consecutive nodes for managing the communication flow in the network, and a DML frame header in front of the DML defining the contents of the DML.